CVE-2019-0187 - OpenCVE

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Jmeter

Configuration 1 [-]

OR	cpe:2.3:a:apache:jmeter:4.0:::::::*
	cpe:2.3:a:apache:jmeter:5.0:::::::*

No data.

References

Link	Providers
http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E
http://www.securityfocus.com/bid/107219

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2019-03-06T17:00:00Z

Updated: 2024-09-16T17:53:55.501Z

Reserved: 2018-11-14T00:00:00

Link: CVE-2019-0187

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-03-06T17:29:00.383

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-0187

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache JMeter", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache JMeter 4.0 to 5.0"}]}], "datePublic": "2019-03-02T00:00:00", "descriptions": [{"lang": "en", "value": "Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised."}], "problemTypes": [{"descriptions": [{"description": "Unauthenticated RCE", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-03-07T10:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "107219", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/107219"}, {"name": "[jmeter-user] 20190302 [SECURITY] CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2019-03-02T00:00:00", "ID": "CVE-2019-0187", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache JMeter", "version": {"version_data": [{"version_value": "Apache JMeter 4.0 to 5.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Unauthenticated RCE"}]}]}, "references": {"reference_data": [{"name": "107219", "refsource": "BID", "url": "http://www.securityfocus.com/bid/107219"}, {"name": "[jmeter-user] 20190302 [SECURITY] CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:44:14.808Z"}, "title": "CVE Program Container", "references": [{"name": "107219", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/107219"}, {"name": "[jmeter-user] 20190302 [SECURITY] CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-0187", "datePublished": "2019-03-06T17:00:00Z", "dateReserved": "2018-11-14T00:00:00", "dateUpdated": "2024-09-16T17:53:55.501Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:jmeter:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "7207C91F-9D2B-4525-B1CE-6C6B358B24A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jmeter:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "20C4FF95-8BBB-4EF2-BDF9-8260BDB3411F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised."}, {"lang": "es", "value": "La ejecuci\u00f3n remota de c\u00f3digo (RCE) autenticada es posible cuando JMeter se utiliza en su modo de distribuci\u00f3n (en las opciones de l\u00ednea de comando -r o -R). Un atacante puede establecer una conexi\u00f3n RMI a un servidor jmeter utilizando RemoteJMeterEngine y proceder con un ataque mediante el uso de una deserializaci\u00f3n de datos no confiable. Esto solo afecta a la pruebas en ejecuci\u00f3n en el modo distribuido. N\u00f3tese que las versiones anteriores a la 4.0 no son capaces de cifrar el tr\u00e1fico entre los nodos ni de identificar los nodos que participan, por lo que se aconseja actualizar a JMeter 5.1."}], "id": "CVE-2019-0187", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-06T17:29:00.383", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E"}, {"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/107219"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}, {"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}